Yale New Haven Health confirms data breach impacting 5.5 million individuals, largest healthcare incident of 2025

Yale New Haven Health has disclosed a data security incident that compromised the protected health information of up to 5,556,702 individuals, marking the largest healthcare data breach reported in 2025. The health system’s report to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) confirms the scale of the incident, surpassing the 4.7 million individuals affected in a separate breach at Blue Shield of California earlier this month.

Yale New Haven Health, a nonprofit network that operates five acute-care hospitals, a medical foundation, and multiple outpatient and multispecialty centers across Connecticut, New York, and Rhode Island, said it identified anomalous activity within its information technology systems on March 8, 2025. Immediate containment measures were taken, and an investigation was launched to determine the scope of the intrusion. The health system publicly announced the incident on its website three days later.

Cybersecurity firm Mandiant was retained to assist with the investigation and response efforts. Yale New Haven Health said the swift action limited the impact and prevented disruptions to patient care operations. The investigation confirmed that an unauthorized third party gained access to portions of the network and exfiltrated files containing patient data.

The organization emphasized that its electronic medical record system was not accessed, and no financial information was compromised. However, the stolen data included personally identifiable and medical details such as names, addresses, phone numbers, email addresses, dates of birth, race or ethnicity, patient types, medical record numbers, and Social Security numbers. The specific data exposed varied by individual.

Notification letters to affected individuals began mailing on April 14, 2025, and the health system is providing complimentary credit monitoring and identity theft protection services to those whose Social Security numbers were involved.

Yale New Haven Health stated that it continues to enhance its cybersecurity infrastructure to safeguard sensitive patient information and to mitigate the risk of future incidents. “We continuously update and strengthen our systems to protect the data entrusted to us,” the organization said in a statement.